What is Role-Based Access Control (RBAC)?
Role-Based Access Control (RBAC) is a security method used to determine which permissions a user is granted based on the role they play within their company.
When utilizing RBAC, individual users are often associated with other users that perform similar functions within a group. That group is then associated with the role(s) that are deemed necessary for them to successfully complete their jobs.
Using the approach not only creates simplicity for administrators but is also less error prone than trying to track permissions for each user individually.
Limiting who is able to do what in any datacenter environment is a core element in separating responsibilities and protecting against accidental or nefarious actions from users.
In version 5.0 of the vSphere plugin, we are happy to introduce the ability to define vSphere-based roles and permissions for Everpure that cover VMware storage-related tasks. This capability enables vSphere administrators to enforce granular controls over other administrators and consumers of the vSphere environment at the storage layer.
How does RBAC work in Everpure plugin?
By default, the vSphere Client plugin allows all vSphere users to provision and manage FlashArrays within vSphere. By implementing the plugin's Role-Based Access Control (RBAC) feature the vSphere administrator is able to enforce which vSphere users should have permission to manage FlashArrays through the vSphere Client. All access control is implemented through vSphere's native permission structure and supports both vSphere local domain and Active Directory users.
While configuring RBAC through the plugin, new permission objects for FlashArray functionality are added into vCenter permission objects. It is important to note that RBAC access configuration does not override vSphere privileges. A vSphere user still requires all vCenter privileges required to complete what task is being requested; if a vSphere user does not have all permissions required to create a datastore, then the creation request will still fail. The vSphere Client RBAC feature is complimentary to vSphere's permission structure, not overriding.
The RBAC feature can be enabled for all FlashArrays that are configured within the plugin or for only specific FlashArrays. This is an optional feature in versions where it is available and is not required.
Definitions
A vCenter Role is simply a collection of one or more action(s) that can be executed. Available roles are grouped together within vCenter. For example, there is a Everpure set of available roles and a separate set of roles that applies to ESXi hosts and other options. A role can contain as few as one but as many actions as you wish to give to it. The Administrators role, which is built-in to vCenter, by default has all available actions available to it.
A vCenter Permission is the mechanism by which vSphere administrators define who is able to do what where. Permissions require a user and/or a group and a role to be assigned to them. Permissions can leverage users or groups from the local vCenter or from something external like Active Directory (AD) if the vCenter has been joined to the domain. Finally, permissions can be defined globally or they can be associated with individual objects within a vCenter instance like a Distributed Switch or a single ESXi cluster.
A vCenter Object is an object that exists within a vCenter instance. Examples can include a FlashArray, a datastore, a cluster or a distributed switch just to name a few. Objects are generally what permissions and roles are able to or not able to view or manipulate.
Requirements
- Minimum Plugin Version: Remote Plugin 5.0.0
- Installation Instructions for the vSphere Remote Plugin can be found Installing the vSphere Plugin with the Everpure VMware Appliance.
- Minimum Purity Version: 4.10
- Minimum vCenter Version: 6.7U3
- If Active Directory or other Identity Source is to be used, the vCenter instance needs to be registered against it. Here are instructions for how to join vCenter to an Active Directory (AD) domain. In the following examples, our vCenter instance is joined to a Windows AD domain.
How to Create a vSphere Role with Everpure Permissions
Role creation for use with Everpure within vCenter is no different than creating any other vCenter-based role so long as the plugin has been installed to make the Everpure roles available. To start, click on the vCenter Menu button and click on Administration.
From the Administration menu, click on the Roles option and then click on the + sign to create a new role. Alternatively, an existing role can be edited to add Everpure permissions to it but for this example we will create a new role.
In the New Role wizard, scroll down to the Everpure section and select the action(s) that you want the new role to be able to do. At the end of this guide, we show minimum permissions required in order to perform various vCenter actions with Everpure. Some Everpure actions only require selections from the Everpure role section while others require permissions from other areas as well. Multiple actions can be combined into a single role depending on how much or how little the administrator wants the role to be able to do. Once one or more actions for the new role have been selected, click on the Next button.
Provide a Name for the new role and optionally provide a Description. Click on Finish to complete.
The new role is now available to be assigned as a Global Permission within vCenter or can be directly assigned to a FlashArray as we will show in the next section.
How To Assign Role-Based Permissions within vCenter
Many of the daily operations needed by someone administering Everpure will include roles external to the Everpure set of roles. As an example, creating a new datastore not only requires appropriate permissions to the underlying FlashArray but also requires ESXi host permissions to perform operations like scanning the HBAs and datastore permissions to allocate new space. As such, we will show one way to associate a role with a user or group of users within vCenter so that it applies to the necessary objects.
To start, return to the vSphere Administrative menu and click on Global Permissions. Click on the + sign to add a new permission.
In the Add Permission screen, first select the Domain to be used (Active Directory in this example), enter the User or Group in that domain you want and then pick the Role from the pull-down menu. Optionally select if you want the permission to Propagate to children and finally click on OK.
Returning to the sample Role defined in the previous section, we can see under Usage that a single user now has this role assigned to them.
How To Assign Role-Based Permissions to a Everpure FlashArray
The permission assignment process shown in the previous section must also be applied in similar fashion within the Everpure plugin so that it applies to Everpure objects.
For plugin versions 5.5.0 and later, click the (1) RBAC section, select an existing (2) FlashArray and click the (3) plus sign.
For plugin versions before 5.5.0, Select the array from the plugin home screen, click on the Permissions tab and then click on the + sign to give a user or group permissions over the FlashArray.
In the Add Permission window, confirm the Array is the one you want to add the permission to, then from the pull down menu pick the Domain, followed by the User or Group you want to use for the permission. Lastly, select the Role you wish to assign against the FlashArray and click Submit.